added inline tests, move to experimental dir

Author: am0o0

javascript/ql/lib/javascript.qll

@@ -123,7 +123,6 @@ import semmle.javascript.frameworks.Request
 import semmle.javascript.frameworks.RxJS
 import semmle.javascript.frameworks.ServerLess
 import semmle.javascript.frameworks.ShellJS
-import semmle.javascript.frameworks.Execa
 import semmle.javascript.frameworks.Snapdragon
 import semmle.javascript.frameworks.SystemCommandExecutors
 import semmle.javascript.frameworks.SQL

javascript/ql/lib/semmle/javascript/frameworks/Execa.qll renamed to javascript/ql/src/experimental/semmle/javascript/Execa.qll

@@ -3,7 +3,6 @@
  */
 
 import javascript
-import semmle.javascript.security.dataflow.RequestForgeryCustomizations
 
 /**
  * Provide model for [Execa](https://github.com/sindresorhus/execa) package

javascript/ql/test/experimental/Execa/CommandInjection/tests.expected

@@ -0,0 +1,22 @@
+passingPositiveTests
+| PASSED | CommandInjection | tests.js:11:46:11:70 | // test ... jection |
+| PASSED | CommandInjection | tests.js:12:43:12:67 | // test ... jection |
+| PASSED | CommandInjection | tests.js:13:63:13:87 | // test ... jection |
+| PASSED | CommandInjection | tests.js:14:62:14:86 | // test ... jection |
+| PASSED | CommandInjection | tests.js:15:60:15:84 | // test ... jection |
+| PASSED | CommandInjection | tests.js:17:45:17:69 | // test ... jection |
+| PASSED | CommandInjection | tests.js:18:42:18:66 | // test ... jection |
+| PASSED | CommandInjection | tests.js:19:62:19:86 | // test ... jection |
+| PASSED | CommandInjection | tests.js:20:63:20:87 | // test ... jection |
+| PASSED | CommandInjection | tests.js:21:60:21:84 | // test ... jection |
+| PASSED | CommandInjection | tests.js:23:43:23:67 | // test ... jection |
+| PASSED | CommandInjection | tests.js:24:40:24:64 | // test ... jection |
+| PASSED | CommandInjection | tests.js:25:40:25:64 | // test ... jection |
+| PASSED | CommandInjection | tests.js:26:60:26:84 | // test ... jection |
+| PASSED | CommandInjection | tests.js:28:41:28:65 | // test ... jection |
+| PASSED | CommandInjection | tests.js:29:58:29:82 | // test ... jection |
+| PASSED | CommandInjection | tests.js:31:51:31:75 | // test ... jection |
+| PASSED | CommandInjection | tests.js:32:68:32:92 | // test ... jection |
+| PASSED | CommandInjection | tests.js:34:49:34:73 | // test ... jection |
+| PASSED | CommandInjection | tests.js:35:66:35:90 | // test ... jection |
+failingPositiveTests

javascript/ql/test/experimental/Execa/CommandInjection/tests.js

@@ -0,0 +1,36 @@
+import { execa, execaSync, execaCommand, execaCommandSync, $ } from 'execa';
+import http from 'node:http'
+import url from 'url'
+
+http.createServer(async function (req, res) {
+    let cmd = url.parse(req.url, true).query["cmd"][0];
+    let arg1 = url.parse(req.url, true).query["arg1"];
+    let arg2 = url.parse(req.url, true).query["arg2"];
+    let arg3 = url.parse(req.url, true).query["arg3"];
+
+    await $`${cmd} ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+    await $`ssh ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+    $({ shell: false }).sync`${cmd} ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+    $({ shell: true }).sync`${cmd} ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+    $({ shell: false }).sync`ssh ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+
+    $.sync`${cmd} ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+    $.sync`ssh ${arg1} ${arg2} ${arg3}`; // test: CommandInjection
+    await $({ shell: true })`${cmd} ${arg1} ${arg2} ${arg3}` // test: CommandInjection
+    await $({ shell: false })`${cmd} ${arg1} ${arg2} ${arg3}` // test: CommandInjection
+    await $({ shell: false })`ssh ${arg1} ${arg2} ${arg3}` // test: CommandInjection
+
+    await execa(cmd, [arg1, arg2, arg3]); // test: CommandInjection
+    await execa(cmd, { shell: true }); // test: CommandInjection
+    await execa(cmd, { shell: true }); // test: CommandInjection
+    await execa(cmd, [arg1, arg2, arg3], { shell: true }); // test: CommandInjection
+
+    execaSync(cmd, [arg1, arg2, arg3]); // test: CommandInjection
+    execaSync(cmd, [arg1, arg2, arg3], { shell: true }); // test: CommandInjection
+
+    await execaCommand(cmd + arg1 + arg2 + arg3); // test: CommandInjection
+    await execaCommand(cmd + arg1 + arg2 + arg3, { shell: true }); // test: CommandInjection
+
+    execaCommandSync(cmd + arg1 + arg2 + arg3); // test: CommandInjection
+    execaCommandSync(cmd + arg1 + arg2 + arg3, { shell: true }); // test: CommandInjection
+});

javascript/ql/test/experimental/Execa/CommandInjection/tests.ql

@@ -0,0 +1,38 @@
+import javascript
+
+class InlineTest extends LineComment {
+  string tests;
+
+  InlineTest() { tests = this.getText().regexpCapture("\\s*test:(.*)", 1) }
+
+  string getPositiveTest() {
+    result = tests.trim().splitAt(",").trim() and not result.matches("!%")
+  }
+
+  predicate hasPositiveTest(string test) { test = this.getPositiveTest() }
+
+  predicate inNode(DataFlow::Node n) {
+    this.getLocation().getFile() = n.getFile() and
+    this.getLocation().getStartLine() = n.getStartLine()
+  }
+}
+
+import experimental.semmle.javascript.Execa
+
+query predicate passingPositiveTests(string res, string expectation, InlineTest t) {
+  res = "PASSED" and
+  t.hasPositiveTest(expectation) and
+  expectation = "CommandInjection" and
+  exists(SystemCommandExecution n |
+    t.inNode(n.getArgumentList()) or t.inNode(n.getACommandArgument())
+  )
+}
+
+query predicate failingPositiveTests(string res, string expectation, InlineTest t) {
+  res = "FAILED" and
+  t.hasPositiveTest(expectation) and
+  expectation = "CommandInjection" and
+  not exists(SystemCommandExecution n |
+    t.inNode(n.getArgumentList()) or t.inNode(n.getACommandArgument())
+  )
+}

javascript/ql/test/experimental/Execa/PathInjection/tests.expected

@@ -0,0 +1,6 @@
+passingPositiveTests
+| PASSED | PathInjection | tests.js:9:43:9:64 | // test ... jection |
+| PASSED | PathInjection | tests.js:12:50:12:71 | // test ... jection |
+| PASSED | PathInjection | tests.js:15:61:15:82 | // test ... jection |
+| PASSED | PathInjection | tests.js:18:73:18:94 | // test ... jection |
+failingPositiveTests

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/execa.js renamed to javascript/ql/test/experimental/Execa/PathInjection/tests.js

@@ -6,14 +6,14 @@ http.createServer(async function (req, res) {
     let filePath = url.parse(req.url, true).query["filePath"][0];
 
     // Piping to stdin from a file
-    await $({ inputFile: filePath })`cat`  // NOT OK
+    await $({ inputFile: filePath })`cat` // test: PathInjection
 
     // Piping to stdin from a file
-    await execa('cat', { inputFile: filePath }); // NOT OK
+    await execa('cat', { inputFile: filePath }); // test: PathInjection
 
     // Piping Stdout to file
-    await execa('echo', ['example3']).pipeStdout(filePath); // NOT OK
+    await execa('echo', ['example3']).pipeStdout(filePath); // test: PathInjection
 
     // Piping all of command output to file
-    await execa('echo', ['example4'], { all: true }).pipeAll(filePath); // NOT OK
+    await execa('echo', ['example4'], { all: true }).pipeAll(filePath); // test: PathInjection
 });

javascript/ql/test/experimental/Execa/PathInjection/tests.ql

@@ -0,0 +1,34 @@
+import javascript
+
+class InlineTest extends LineComment {
+  string tests;
+
+  InlineTest() { tests = this.getText().regexpCapture("\\s*test:(.*)", 1) }
+
+  string getPositiveTest() {
+    result = tests.trim().splitAt(",").trim() and not result.matches("!%")
+  }
+
+  predicate hasPositiveTest(string test) { test = this.getPositiveTest() }
+
+  predicate inNode(DataFlow::Node n) {
+    this.getLocation().getFile() = n.getFile() and
+    this.getLocation().getStartLine() = n.getStartLine()
+  }
+}
+
+import experimental.semmle.javascript.Execa
+
+query predicate passingPositiveTests(string res, string expectation, InlineTest t) {
+  res = "PASSED" and
+  t.hasPositiveTest(expectation) and
+  expectation = "PathInjection" and
+  exists(FileSystemReadAccess n | t.inNode(n.getAPathArgument()))
+}
+
+query predicate failingPositiveTests(string res, string expectation, InlineTest t) {
+  res = "FAILED" and
+  t.hasPositiveTest(expectation) and
+  expectation = "PathInjection" and
+  not exists(FileSystemReadAccess n | t.inNode(n.getAPathArgument()))
+}